17

I am setting up an infrastructure using Fargate and RDS for my web application.

Here are the basic details of infrastructure.

  1. Fargate and RDS are using same VPC and same Subnet
  2. We have an Application Load Balancer infront of Fargate
  3. Able to access container applications using LB url

Now the problem is, Fargate container application is not able to connect to RDS

Can somebody suggest how to configure security groups or other perimeters to allow containers to connect RDS.

If I change RDS SG configuration with RDS port and IP as 0.0.0.0/0 (Anywhere) container application is able to connect to RDS. But this we will not be able to do in UAT / PROD

ajoy sinha
  • 1,156
  • 4
  • 14
  • 30

3 Answers3

17
  1. Find the security group ID of your Fargate service. It will look like sg-ab3123b1252, but with different values after sg-.
  2. In your RDS security group rules, instead of putting a CIDR in your source field, put the Fargate service security group ID. Port 5432 (assuming you are using the standard postgresql port).

By adding the Fargate security group to your RDS security group rule, you're saying "allow TCP traffic on port 5432 from any resource that uses the Source security group specified".

Check the default VPC group in the docs. That page is required reading anyway, but the section linked has an example of what I'm describing specifically.

bluescores
  • 4,437
  • 1
  • 20
  • 34
  • 1
    I tried accomplishing this with VPC Peering but had no luck (https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html). Is VPC peering meant for something else? – jamis0n Jan 03 '20 at 18:52
  • It worked for me. However, if I want to allow the database Publicly Accessibly then I can't use the same security group for the Fargate service. Any suggestions? – Abu Shoeb Dec 10 '21 at 03:10
  • This was exactly what I was missing. Even though EC2 instances in the same subnet as Fargate could access RDS, Fargate could not access RDS without this rule. – YoungDinosaur Jul 12 '22 at 21:14
0

You may want to try configuring your VPC IP with RDS port into the RDS SG.

Gonca Atabek
  • 36
  • 4
0

In addition to allowing the Security Group access we also had to grant IAM permissions to the role used by our ECS stuff.

Matthew Allen
  • 538
  • 2
  • 7
  • 14
  • 3
    I think I have the same issue: I added the ECS Fargate Security Group to the RDS ingress security group. Could you cut/paste that IAM policy here? I'm guessing that it has to be an IAM role granted to ECS to access RDS but I'm struggling with the AWS documentation... ;) thanks!! – Pierre Apr 15 '21 at 14:25